Know The Difference Between DFARS and CMMC

Know The Difference Between DFARS and CMMC

If you’re an existing US Department of Defense (DoD) contractor, then you’ve probably achieved Defense Federal Acquisition Regulation Supplement (DFARS) compliance by now. But did you know that DoD will soon be requiring all contractors — some as early as September 2020 — to pass the Cybersecurity Maturity Model Certification (CMMC)

Background: DFARS vs. CMMC

To protect all controlled unclassified information (CUI) that the DoD handles, the department required all of its contractors to meet certain cybersecurity requirements — known as DFARS compliance — by December 31, 2017.

Further reading: Understanding DFARS Compliance: Overview & Requirements

However, over the past years, the DoD struggled with a low rate of DFARS compliance. To address this issue, the department introduced CMMC and its five levels as a way to categorize its contractors. Those in Levels 1 and 2 need not meet all the requirements of DFARS. But those who have already achieved DFARS compliance can easily obtain CMMC Level 3 by adopting several more cyber hygiene practices when they undergo certification.

Difference Between DFARS and CMMC

DFARS and CMMC are similar in many ways because the latter draws heavily from the former, but there are some key differences between them.

What is CMMC and its Five Levels

Unlike DFARS, CMMC has five levels of maturity based on the complexity of cybersecurity practices and processes, with each level characterized by its focus.

By categorizing its contractors into different levels, the DoD can ensure that contractors for each project have the appropriate cybersecurity practices and processes in place to protect FCI and CUI.

Technical Basis

To be DFARS-compliant, a DoD contractor must meet all 14 security requirements stipulated in the National Institute of Standards and Technology Special Publication (NIST SP) 800-171. On the other hand, CMMC uses different technical frameworks for each of its levels.

5 levels 2

Compliance Assessor

While self-assessment is enough in achieving DFARS, CMMC requires an external assessor to evaluate the cybersecurity posture of DoD contractors and assign them with their appropriate CMMC level. This external assessor must have received its training and license from the CMMC Accreditation Body.

Next Step for DoD Contractors

If you’ve already achieved DFARS compliance, then you should adopt at least 20 more cyber hygiene practices to obtain CMMC Level 3 in your external assessment. But if you want to be able to bid on more DoD contracts, then aim for Levels 4 or 5.

Charles IT can help you achieve both DFARS and CMMC compliance with our two-step process: First a Gap Assessment to determine where your gaps are, then provide you with our Compliance Services to fill those gaps.

Start your journey to compliance by finding out your security gaps today!

Learn more about CMMC

Compliance with NIST SP 800-171 can be a herculean task for small businesses. CMMC is a cost-effective solution to achieve the minimum Level 1 requirement. Find out more by click the button below.

Show Me How

New call-to-action